Vulnerability

Vulnerability activity for the period was increased, highlighted by the scheduled releases from Microsoft, Adobe, and Oracle. Additional security advisories and updates were released for the Google Chrome browser, Novell iPrint Client, Citrix XenServer Web Self Service, and Lenova LANDesk ThinkManagement Console.

Adobe released the Shockwave Player and Flash Player February 2012 Security Update to address multiple vulnerabilities in these products.

Recently released threat research on the Black Hole exploit toolkit reported that this toolkit dominates web vector exploits. Black Hole predominantly attempts to exploit Oracle Java and Adobe vulnerabilities. Although some of these products now include automated update installation, which users should enable, users should be reminded to check those settings and manually update the products if necessary.

In threat activity, the Cisco IronPort Threat Operations Center has reported an increase in travel-related spam messages that include malicious documents or hyperlinks. These malicious messages include fraudulent hotel reservations, airline reservations, and casino messages and advertisements. Details of these malicious messages are in the IntelliShield Threat Outbreak Alerts on the Cisco SIO portal.

IntelliShield published 135 events last week: 65 new events and 70 updated events. Of the 135 events, 82 were Vulnerability Alerts, 10 were Security Activity Bulletins, two were Security Issue Alerts, 38 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Oracle Critical Patch Update January 2012
IntelliShield Vulnerability Alert 24972, Version 2, February 9, 2012
Urgency/Credibility/Severity Rating: 2/5/3
Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on targeted systems. Red Hat has released a security advisory and updated packages to address vulnerabilities listed in the Oracle Critical Patch Update January 2012.

MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24838, Version 6, February 8, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-4862
MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Cisco, FreeBSD, GNU.org, and Red Hat have released security advisories.

Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24698, Version 6, January 26, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-2462
Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework. FreeBSD has released a security bulletin and updated technical details.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 22, January 24, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin. MontaVista Software has released a security alert and updated software. Cisco has re-released a security advisory and updated software.

ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 11, January 4, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4313
ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Physical

There was no significant activity in this category during the time period.

Legal

Jeweler Sues IT Firm for Security Breach

A Chicago jeweler has sued an IT firm, stating that the firm's negligence allowed hackers to access confidential customer data. According to the lawsuit filed, the jeweler was having trouble establishing connectivity to its VPN. Although the work was outside the scope of the IT firm's contract with the jeweler, the IT firm acknowledged the issue and concluded the VPN could not be fixed. In addition, the firm recommended the jeweler go around the VPN solution, assuring the company it would be a safe alternative. Subsequently, this circumventing action led to an immediate security breach in which unidentified hackers gained access, installed malicious software on the credit card processing system and other systems, and as a result removed sensitive data from the jeweler's environment.Read More

IntelliShield Analysis: Just as there are two sides to a coin, analyzing situations such as these immediately provides two viewpoints. The first is ultimately the decisive factor, and that is the fact that the jeweler decided to adhere to the recommendation of the IT firm. This is significant because the second aspect is that the IT firm provided an improper solution to the problem. Moreover, the larger issue is that the customer simply adhered to this bit of bad advice and seemingly did not question the solution provided by the firm. The thought here is how much does an organization trust or rely on its "trusted advisers"? Organizations tend to contract consulting firms and partners to fulfill the areas where they are not as effective or simply lack the expertise. Therefore it stands to reason that when the consulting firm or partner provides advice or solutions, the organization should and likely will trust those solutions because the organization lacks the ability to create solutions on its own. That said, the irony and challenging aspect to this relationship is that the responsibility and accountability for the end customer still fall on the shoulders of the organization.

Trust

An Invisible Window into Your E-mail or Social Media

An opinion article in Wired magazine last week brought to the forefront a commonly used method of gaining access to websites and services using the OAuth protocol. By using OAuth, authorization for third-party websites does not require creation of a new account on the new website or service. Instead, the website where you already have an account will issue a token for authenticating to the third-party website. This protocol eases password administration duties by reusing access you already have, but it can also allow access into your existing account from the third-party site. You may already be using the OAuth protocol if you have ever used your Facebook or Gmail account to access a third-party site or service.Read MoreAdditional Information

IntelliShield Analysis: The chain of trust when using such authentication methods can grow long and wide. When we use tokens issued by Facebook, Gmail, or other accounts, those additional applications get access to our Facebook pages or our e-mail accounts. Although no evidence exists of malicious intent, the takeaway from this is to be very careful which services you allow access to using third-party services, particularly those with potential access to sensitive information. It may be better advice to never use your access to a service as credentials to access a different service. And never use weak passwords or reuse a password from one site to another. Myriad programs and applications are available for password management, many of them able to sync across different platforms. These applications both provide auto-login capabilities and can generate strong passwords. The website MyPermissions.org provides shortcuts to each of the authentication settings pages of the major e-mail and social media sites.

Identity

There was no significant activity in this category during the time period.

Human

Shooting of Laptop Serves as Daughter's "Punishment"

The video of the North Carolina father, Tommy Jordan, issuing a rebuttal to his daughter's Facebook post and then shooting her laptop is all the rage these days. Jordan's daughter posted a letter on Facebook, relying on certain Facebook restrictions to prevent her parents from seeing the letter, in which she expressed her frustration with all the chores she has do at home and that her parents are ungrateful. While the daughter had hidden her post from her family group, she failed to account for the fact that her parents would see it through the use of an account that had been set up for the family's dog.Read More

IntelliShield Analysis: Much of the public focus on this incident has been on the daughter's letter about her parents and the father's subsequent reaction by recording his response, both his verbal diatribe and his firing of .45 caliber bullets into the laptop. However, the more important message here is that it is challenging to ensure that the information posted on social media outlets is restricted to those you intend to see it. Facebook has made progress in providing mechanisms within its Privacy Settings to keep certain information shared only with people you trust, as we highlighted in a recent Cisco Security Blog post. But using these settings alone does not always guarantee your information will not reach an unintended audience. Just ask Tommy Jordan's daughter.

Geopolitical

India Shocks Telecom Investors

India's Supreme Court this month revoked all 2G mobile licenses granted since 2008, amid a corruption scandal that has paralyzed the Indian government for the past year. The licenses are said to have been granted by corrupt telecom officials at below-market prices, ostensibly depriving Indian citizens of billions of dollars in potential government money that could have been used for badly needed infrastructure upgrades, education, and social programs. Foreign companies did not participate in the original license deals, but later partnered with Indian companies that were granted the cheap licenses. Details on how and whether companies whose licenses were revoked will be compensated remain sketchy. Among the foreign companies who stand to lose out are Norway's Telenor, Russia's Sistema, and United Arab Emirates' Etisalat. Read MoreAdditional Information

IntelliShield Analysis: The Supreme Court's move cuts both ways. On the one hand, investors see the house cleaning as part of a necessary process, particularly in what many perceive otherwise to be something of a governance vacuum. Long term, it bodes well for accountability and transparency, and should serve as evidence that India is serious about cleaning up corruption and enforcing the rule of law. Shorter term, it calls into question whether investors can be confident that a contract will be honored, and whether activist courts are preferable to reliable legislative bodies. Telecom investments are risky enough without doubts about whether government-granted licenses will be honored. To be fair, this move also may serve as a reminder of the importance of clear-eyed due diligence for foreign investors doing telecom acquisitions, particularly in emerging markets whose laws and business environment may be just coming up to speed. For now, India's telecom sector is in upheaval, foreign investment is down, and India's Congress Party–led government is seen as floundering. With luck, India will re-emerge in a year or two with a stronger government, accountability, and better enforcement of laws so that foreign investors can with confidence bring back the cash that will help boost India's economy.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.